Macs Face Zero-Day Exploit and Firmware Worm

Written by

An exploit for a privilege-escalation zero-day vulnerability in Apple's latest version of OS X has cropped up in the wild, spreading malware without need for system passwords. So far, the exploit is installing adware like VSearch, Genieo package variations and MacKeeper.

The news comes hard on the heels of the creation of Thunderstrike 2, a proof-of-concept firmware worm that’s the first to attack Macs.

According to Malwarebytes Labs, the zero-day exploit consists of an installer that takes advantage of error-logging features introduced in the latest version of OS X (Version 10.10.4). After modifying a Mac's configuration file, hackers can gain root-level permissions.

“The change made by the script allows shell commands to be executed as root using sudo, without the usual requirement for entering a password,” Malwarebytes explained in an analysis. “The script that exploits the DYLD_PRINT_TO_FILE vulnerability is written to a file and then executed. Part of the script involves deleting itself when it's finished.”

The script uses sudo's new password-free behavior to launch the VSInstaller app, which is found in a hidden directory on the installer's disk image, giving it full root permissions, “and thus the ability to install anything anywhere,” the firm said.

The flaw was uncovered by researcher Stefan Esser last week. He blogged on the issue and released a working proof-of-concept exploit, along with a patch. Some question Esser's ethics in choosing to reveal his source code before Apple has patched the issue. He said that he released it in order to compensate for what he says are poor security practices on the part of Apple.

“Before going into the exploitation of this problem please be reminded that because it will likely take months for Apple to react to this issue we released a kernel extension that protects from this vulnerability by stopping all DYLD_ environment variables from being recognized by the dynamic linker for SUID root binaries,” he wrote. “In addition to that it adds a mitigation against a common trick to circumvent O_APPEND restrictions on file descriptors.”

News of the exploit comes after researchers published Thunderstrike 2, which affects both Macs and PCs. Because it lives in firmware, it can be spread from Mac to Mac without the need for them to be attached to a network or the internet. And, the only method of mitigation is re-flashing firmware chips.

“[The attack is] really hard to detect, it’s really hard to get rid of, and it’s really hard to protect against something that’s running inside the firmware,” Xeno Kovah, one of the researchers who designed the worm, told Wired. “For most users that’s really a throw-your-machine-away kind of situation. Most people and organizations don’t have the wherewithal to physically open up their machine and electrically reprogram the chip.”

What’s hot on Infosecurity Magazine?